Oracle fires back at security researcher on PLSQL patch

IDG News Service - Oracle Corp. and a security researcher are trading barbs over a vulnerability in the company's software that has gone unpatched since it was discovered in October.
Oracle is warning its customers not to use a work-around written by David Litchfield for a security vulnerability (see "Zero-day Oracle hole leads to third-party work-around"), saying it could break Oracle's software. Litchfield, managing director of Next Generation Security Software Ltd. in Sutton, England, said he posted the fix on the BugTraq mailing list on Wednesday after warning Oracle about the dangers the vulnerability posed.
Oracle was notified of the work-around before it was released, but has found it "inadequate," said Duncan Harris, Oracle's senior director of security assurance. It will break a large number of E-Business Suite applications, he said.
"We know it will break a number of Oracle products higher in the stack than the Oracle Application Server that the vulnerability exists in," Harris said.
Oracle has issued several patches for the vulnerability over the past four years, none of which worked, Litchfield said Friday.
The vulnerability affects Oracle Application Server, Oracle Internet Applications Server and Oracle HTTP Server. The vulnerability lies with the PLSQL gateway, a bit of code that allow Web-based users to interact with PLSQL applications in the back-end database server, Litchfield said. The gateway passes a user request to the back-end database server and executes there, he said.
"Someone can come in off the Internet over the Web without a user ID or password and interact with the back-end database server, so it goes through all the firewalls," Litchfield said. "This is critical."
The fix is "trivial" and he doesn't understand why a patch was not included in Oracle's Critical Patch Update last week. When a fix wasn't issued, Litchfield said he thought, "Well, you know, I'll do it then. ... It's not difficult."
But Harris contested that assumption. "Compared to some others, this one is extremely difficult to fix and test it thoroughly," he said.
Oracle prioritizes vulnerabilities as far as patching, Harris said. So far, no exploit code has been released. If exploit code is released, Oracle could push out a quick one-time emergency patch, Harris said. The next patching round is scheduled for April, and whether this vulnerability is fixed will depend on whether there are other more pressing ones, he said.
Nonetheless, Harris assailed Litchfield's action.
"By just revealing what he has in this work-around, it definitely is a very strong starting point for any malicious hacker... to try and understand the vulnerability and

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.